MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668
SHA3-384 hash: db7b7994e475001808233858bfcf1b53fae35170885300c3dcf04498b43897337f0489bf2e6f26e195572a880b8804c8
SHA1 hash: 489be044ccf17c873ada660faaf0118828e6b4ae
MD5 hash: affe42df61e094e1384749b9ce29870b
humanhash: oven-item-burger-music
File name:affe42df61e094e1384749b9ce29870b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:399'360 bytes
First seen:2021-09-09 17:53:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 141465c8c68fc3b71c6d46d0a83a082a (2 x RedLineStealer, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 12288:Fy2wb8K2bik9hB1NDFxVO6f5vEdmp5f0xomI:BwbsbnNDvV95vBDhmI
Threatray 6'064 similar samples on MalwareBazaar
TLSH T19884BE20B6B0C035F4F712F859BA93B9A92E7EB15B3080CB62D526EE56345E4DD30B53
dhash icon e0e8e8e8aa62a499 (12 x RaccoonStealer, 9 x RedLineStealer, 7 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
affe42df61e094e1384749b9ce29870b
Verdict:
Malicious activity
Analysis date:
2021-09-09 17:56:01 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/8aab1e0d-ef1c-4907-8962-933fca3883c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186727/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15005.14864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending a UDP request
Connection attempt to an infection source
Sending a TCP request to an infection source
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebbc5051-8b06-4020-960a-f42ae269c5b9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/848345
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 17:54:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejowz6wu2uauatmnuu3xvbkxsk2d6ngjkwlf75qt4p7ip2qlszua._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
39200e0a9a72adb8213b75772aa54fdca104688e6f446f88c7624beb93c29ea3
RedLineStealer
4023763ad7b1f3cae1395dcfbfb15317c006526c355914ecf7d8506696e3b1ce
RedLineStealer
490c8bedb62d1c720cc16ffcc5816fbc3f10fbbb9a071831c2b1c0b0f0f63f7c
RedLineStealer
6ad1cf3b42e1c571f6a7a402ad29e289ea119a6929345660a98e2786a3ddace4
RedLineStealer
8498f560c45b7d2db3427aaf5a481a4e584a1aa8f59767147e895b60e08286cf
RedLineStealer
9fc6a1f5c853cfcef7ae729ea18996cdcf63eeba1391f3c33cbf8caf856fc4ef
RedLineStealer
ebfe4a01a842ddcf434e44a288773454c4c5c35602a5fba3a31e47ff010a1314
RedLineStealer
+ 6'054 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:uhd_888 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210909-wgwbzsbgak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.119:15548
Unpacked files
SH256 hash:
65b77ac6a8f2249aafe505448a90450bf07e5f2a4682fa2f7c777ab884a67591
MD5 hash:
b3755ef650c25757664e42d20571f779
SHA1 hash:
f2f6ed658dfe816f84f22f564ddb2060556e49be
Link:
https://www.unpac.me/results/50033904-72c7-4d1b-b541-2b80e557d67a/
SH256 hash:
d6a09449292eb508a5cac09e3f5c3f1113ba73460b8e1b500fc1eda04a440b87
MD5 hash:
42ba412a88868811d4f8cdc9f6b576a9
SHA1 hash:
b2a1d3a2cddbaecfd80ea78f492f7ff0fa8ca13b
Link:
https://www.unpac.me/results/50033904-72c7-4d1b-b541-2b80e557d67a/
SH256 hash:
b2c3c7b0ed7a088566a43edcf6226e6a14eeac48ea74866cf9fa533aa085a736
MD5 hash:
a49c58211f69c0617eb99f129e4d6cf2
SHA1 hash:
a18526bf8953b6034809436462bbe15a3509f5f1
Link:
https://www.unpac.me/results/50033904-72c7-4d1b-b541-2b80e557d67a/
SH256 hash:
225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668
MD5 hash:
affe42df61e094e1384749b9ce29870b
SHA1 hash:
489be044ccf17c873ada660faaf0118828e6b4ae
Link:
https://www.unpac.me/results/50033904-72c7-4d1b-b541-2b80e557d67a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 225d6cfad4d501404d8da5377a855792b43f34c955965ff613e3fe87ea0b9668

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186727/

Comments


Avatar
zbet commented on 2021-09-09 17:53:17 UTC

url : hxxp://185.215.113.119/current.exe